SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Member
    Join Date
    Apr 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    IPFW rules for FreeBSD?

    Hey Guys,

    My FreeBSD server got hacked and I would like to finally configure a IPFW firewall. I've got it install and enabled ok, but I just confused by the rules to configure the firewall.

    Basically I was hoping that someone could send me some simple & easy to understand IPFW rules that will only enable the ports for WWW, DNS, SMTP, POP3, SSH2, and SNMPD. And have all the other ports denied.

    Any help would be greatly appreciated.

    Regards,

    Dan

  2. #2
    SitePoint Addict
    Join Date
    Jun 2004
    Location
    Atlanta, GA
    Posts
    366
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This should work for you (it's similar to my setup).

    ipfw add check-state #check to see if the packet matches any dynamic rules
    ipfw add allow ip from any to any via lo0 #allow all traffic on localhost
    ipfw add deny ip from any to 127.0.0.0/8 # deny any other trafffic routed to loopback interface
    ipfw add allow tcp from any to any established #allow established connections
    ipfw add allow ip from any to any keep-state out #allow all outgoing traffic
    ipfw add allow tcp from any to any 22 in #allow SSH
    ipfw add allow tcp from any to any 25 in #allow SMTP
    ipfw add allow tcp from any to any 53 in #allow DNS
    ipfw add allow udp from any to any 53 in #allow DNS (udp needed as well)
    ipfw add allow tcp from any to any 80 in #allow WWW
    ipfw add allow tcp from any to any 110 in #allow POP3
    ipfw add allow udp from any to any 161 in #allow SNMPD
    ipfw add deny all from any to any in #deny all other incoming traffic

    If that doesn't work you may have to adjust things a bit but that should give you a general idea.

  3. #3
    SitePoint Member
    Join Date
    Apr 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do you know if "ip" and "all" in regards to IPFW, are the same thing?

    Thanks for your help, I definitely appreciate it. I'll post what I got so far soon, so see what you think.

    Dan

  4. #4
    SitePoint Member
    Join Date
    Apr 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is what I've got so far. I took what you gave me and combined it with some other examples that people sent me, as well as the online examples too. Please let me know what you think, and if I'm missing anything important as to what I was originally trying to go for.



    #################################################
    # IPFW Firewall Commands
    #################################################
    cmd="ipfw -q add"
    ipfw -q -f flush


    #################################################
    # Allow Loopback and Deny Loopback Spoofing
    #################################################
    $cmd allow ip from any to any via lo0
    $cmd deny ip from any to 127.0.0.0/8
    $cmd deny ip from 127.0.0.0/8 to any
    $cmd deny tcp from any to any frag


    #################################################
    # Stateful Rules
    #################################################
    $cmd check-state
    $cmd allow tcp from any to any established
    $cmd allow ip from any to any keep-state
    $cmd allow icmp from any to any


    #################################################
    # Incoming/Outgoing Services
    #################################################
    $cmd allow tcp from any to any 22 setup keep-state
    $cmd allow tcp from any to any 25 setup keep-state
    $cmd allow tcp from any to any 53 setup keep-state
    $cmd allow udp from any to any 53 keep-state
    $cmd allow tcp from any to any 80 setup keep-state
    $cmd allow tcp from any to any 110 setup keep-state
    $cmd allow tcp from any to any 161 setup keep-state


    #################################################
    # Deny and Log
    #################################################
    $cmd deny log all from any to any

  5. #5
    SitePoint Addict
    Join Date
    Jun 2004
    Location
    Atlanta, GA
    Posts
    366
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That third rule under the stateful section is bad. That will allow all traffic.

    I had added "out" to the end of that rule in my config to allow all outgoing traffic. Without that it will allow all incoming and outgoing.

  6. #6
    SitePoint Member
    Join Date
    Apr 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oops, I fixed it. Was there anything else that you saw that was bad or needed to be changed? Thanks again for your help. It's be definitely appreciated.

    Dan

  7. #7
    SitePoint Addict
    Join Date
    Jun 2004
    Location
    Atlanta, GA
    Posts
    366
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The rest looks fine as far as I can tell.

  8. #8
    SitePoint Enthusiast
    Join Date
    Dec 2003
    Location
    world wide
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just some heads up.
    A firewall won't stop anyone from hacking you.
    You first have to find out how they got in. My guess would be a buggy
    php script. In this case the firewall doesn't help you at all, because port 80
    is still open and they can get in again.
    Also, you've firewalled only the closed ports, theres little protection
    in that, because if theres no daemon running on that port theres no
    way for someone to get in using that port...
    I would suggest you find out how they got in and start from there.

  9. #9
    SitePoint Member
    Join Date
    Apr 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey loman,

    Yes, I understand that. I also wanted to setup firewalls for other (non-hacked) servers that we run, including the one that got hacked.

    I suspect that they hacked one of the many cgi scripts that we host. I know that since port 80 is open they'll be able to get in, but since all the other ports are closed, they shouldn't be able to run other blocked program ports, right?

    What these hackers were doing, was getting in at port 80, but starting up an IRC program that used port 50000. My guess would be since all the other ports are blocked, they won't be able to open other ports to run their programs???

    I'm still in the process of trying to find the buggy script they used to get in. Of course, firewalling after the fact doesn't help much, but it should prevent other hacks outside of port 80.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •